Enable GPG verification for Casks.

Library/Homebrew/cask/lib/hbc/cli/cleanup.rb

@@ -69,14 +69,19 @@ def delete_paths(paths)
         cleanup_size = 0
         processed_files = 0
         paths.each do |item|
-          next unless item.exist?
+          next unless item.exist? || item.symlink?
           processed_files += 1
 
           begin
             LockFile.new(item.basename).with_lock do
               puts item
-              cleanup_size += File.size(item)
-              item.rmtree
+
+              if item.exist?
+                cleanup_size += File.size(item)
+                item.realpath.rmtree
+              end
+
+              item.rmtree if item.symlink?
             end
           rescue OperationInProgressError
             puts "skipping: #{item} is locked"

Library/Homebrew/cask/lib/hbc/container/gpg.rb

@@ -1,4 +1,5 @@
 require "hbc/container/base"
+require "hbc/utils"
 
 module Hbc
   class Container
@@ -9,27 +10,25 @@ def self.me?(criteria)
 
       def import_key
         if @cask.gpg.nil?
-          raise CaskError, "Expected to find gpg public key in formula. Cask '#{@cask}' must add: 'gpg :embedded, key_id: [Public Key ID]' or 'gpg :embedded, key_url: [Public Key URL]'"
+          raise CaskError, "Expected to find GPG public key. Cask '#{@cask}' must add `gpg :embedded, key_id: <id>' or 'gpg :embedded, key_url: <url>`."
         end
 
-        args = if @cask.gpg.key_id
-          ["--recv-keys", @cask.gpg.key_id]
+        if @cask.gpg.key_id
+          Utils.gpg(args: ["--receive-keys", @cask.gpg.key_id], command: @command)
         elsif @cask.gpg.key_url
-          ["--fetch-key", @cask.gpg.key_url.to_s]
+          Utils.gpg(args: ["--fetch-keys", @cask.gpg.key_url.to_s], command: @command)
         end
-
-        @command.run!("gpg", args: args)
       end
 
       def extract
-        unless gpg = which("gpg", PATH.new(ENV["PATH"], HOMEBREW_PREFIX/"bin"))
-          raise CaskError, "Expected to find gpg executable. Cask '#{@cask}' must add: depends_on formula: 'gpg'"
+        unless Formula["gnupg"].any_version_installed?
+          raise CaskError, "Formula 'gnupg' is not installed. Cask '#{@cask}' must add `depends_on formula: 'gnupg'`."
         end
 
         import_key
 
         Dir.mktmpdir do |unpack_dir|
-          @command.run!(gpg, args: ["--batch", "--yes", "--output", Pathname(unpack_dir).join(@path.basename(".gpg")), "--decrypt", @path])
+          Utils.gpg(args: ["--batch", "--yes", "--output", Pathname(unpack_dir).join(@path.basename(".gpg")), "--decrypt", @path])
 
           extract_nested_inside(unpack_dir)
         end

Library/Homebrew/cask/lib/hbc/dsl/gpg.rb

@@ -14,7 +14,16 @@ class Gpg
 
       def initialize(signature, parameters = {})
         @parameters = parameters
-        @signature = URI(signature) unless signature == :embedded
+
+        @signature = case signature
+        when :embedded
+          nil
+        when URI::DEFAULT_PARSER.make_regexp
+          URI(signature)
+        else
+          Pathname(signature)
+        end
+
         parameters.each do |hkey, hvalue|
           raise "invalid 'gpg' parameter: '#{hkey.inspect}'" unless VALID_PARAMETERS.include?(hkey)
           writer_method = "#{hkey}=".to_sym

Library/Homebrew/cask/lib/hbc/utils.rb

@@ -93,5 +93,18 @@ def self.method_missing_message(method, token, section = nil)
 
       opoo(poo.join(" ") + "\n" + error_message_with_suggestions)
     end
+
+    def self.gpg(args: [], command: SystemCommand, **options)
+      executable = Formula["gnupg"].opt_bin/"gpg"
+
+      homebrew_keyring = (HOMEBREW_CACHE/"gpg/homebrew-keyring.gpg").tap do |path|
+        path.dirname.mkpath
+      end
+
+      # Ensure GPG installation is initialized.
+      command.run!(executable, args: ["--list-keys"], print_stdout: false, print_stderr: false)
+
+      command.run!(executable, args: ["--no-default-keyring", "--keyring", homebrew_keyring, *args], **options)
+    end
   end
 end

Library/Homebrew/cask/lib/hbc/verify.rb

@@ -7,8 +7,8 @@ module Verify
 
     def verifications
       [
-        Hbc::Verify::Checksum
-        # TODO: Hbc::Verify::Gpg
+        Hbc::Verify::Checksum,
+        Hbc::Verify::Gpg,
       ]
     end
 

Library/Homebrew/cask/lib/hbc/verify/checksum.rb

@@ -18,7 +18,7 @@ def initialize(cask, downloaded_path)
 
       def verify
         return unless self.class.me?(cask)
-        ohai "Verifying checksum for Cask #{cask}"
+        ohai "Verifying SHA-256 checksum for Cask '#{cask}'."
         verify_checksum
       end
 
@@ -36,7 +36,7 @@ def verify_checksum
         raise CaskSha256MissingError.new(cask.token, expected, computed) if expected.nil? || expected.empty?
 
         if expected == computed
-          odebug "SHA256 checksums match"
+          odebug "SHA-256 checksums match."
         else
           ohai 'Note: running "brew update" may fix sha256 checksum errors'
           raise CaskSha256MismatchError.new(cask.token, expected, computed, downloaded_path)

Library/Homebrew/cask/lib/hbc/verify/gpg.rb

@@ -1,8 +1,11 @@
+require "formula"
+require "hbc/utils"
+
 module Hbc
   module Verify
     class Gpg
       def self.me?(cask)
-        cask.gpg
+        !cask.gpg.nil?
       end
 
       attr_reader :cask, :downloaded_path
@@ -13,51 +16,53 @@ def initialize(cask, downloaded_path, command = Hbc::SystemCommand)
         @downloaded_path = downloaded_path
       end
 
-      def available?
-        return @available unless @available.nil?
-        @available = self.class.me?(cask) && installed?
-      end
-
       def installed?
-        cmd = @command.run("/usr/bin/type",
-                           args: ["-p", "gpg"])
-
-        # if `gpg` is found, return its absolute path
-        cmd.success? ? cmd.stdout : false
+        Formula["gnupg"].any_version_installed?
       end
 
-      def fetch_sig(force = false)
-        unversioned_cask = cask.version.is_a?(Symbol)
-        cached = cask.metadata_subdir("gpg") unless unversioned_cask
+      def fetch_sig(_force = false)
+        url = cask.gpg.signature
 
-        meta_dir = cached || cask.metadata_subdir("gpg", :now, true)
-        sig_path = meta_dir.join("signature.asc")
+        signature_filename = "#{Digest::SHA2.hexdigest(url.to_s)}.asc"
+        signature_file = Hbc.cache/signature_filename
 
-        curl_download cask.gpg.signature, to: sig_path unless cached || force
+        unless signature_file.exist?
+          ohai "Fetching GPG signature '#{cask.gpg.signature}'."
+          curl_download cask.gpg.signature, to: signature_file
+        end
+
+        FileUtils.ln_sf signature_filename, Hbc.cache/"#{cask.token}--#{cask.version}.asc"
 
-        sig_path
+        signature_file
       end
 
-      def import_key
-        args = if cask.gpg.key_id
-          ["--recv-keys", cask.gpg.key_id]
-        elsif cask.gpg.key_url
-          ["--fetch-key", cask.gpg.key_url.to_s]
+      def verify
+        unless installed?
+          ohai "Formula 'gnupg' is not installed, skipping verification of GPG signature for Cask '#{cask}'."
+          return
         end
 
-        @command.run!("gpg", args: args)
-      end
+        if cask.gpg.signature == :embedded
+          ohai "Skipping verification of embedded GPG signature for Cask '#{cask}'."
+          return
+        end
+
+        if cask.gpg.signature.is_a?(Pathname)
+          ohai "Skipping verification of GPG signature included in container for Cask '#{cask}'."
+          return
+        end
+
+        if cask.gpg.key_id
+          Utils.gpg(args: ["--receive-keys", cask.gpg.key_id], command: @command, print_stderr: false)
+        elsif cask.gpg.key_url
+          Utils.gpg(args: ["--fetch-keys", cask.gpg.key_url.to_s], command: @command, print_stderr: false)
+        end
 
-      def verify
-        return unless available? && cask.gpg.signature != :embedded
-        import_key
         sig = fetch_sig
 
-        ohai "Verifying GPG signature for #{cask}"
+        ohai "Verifying GPG signature for Cask '#{cask}'."
 
-        @command.run!("gpg",
-                      args:         ["--verify", sig, downloaded_path],
-                      print_stdout: true)
+        Utils.gpg(args: ["--verify", sig, downloaded_path], command: @command, print_stderr: false)
       end
     end
   end

Library/Homebrew/test/cask/cli/install_spec.rb

@@ -8,7 +8,7 @@
   it "displays the installation progress" do
     output = Regexp.new <<~EOS
       ==> Downloading file:.*caffeine.zip
-      ==> Verifying checksum for Cask local-caffeine
+      ==> Verifying SHA-256 checksum for Cask 'local-caffeine'.
       ==> Installing Cask local-caffeine
       ==> Moving App 'Caffeine.app' to '.*Caffeine.app'.
       .*local-caffeine was successfully installed!

Library/Homebrew/test/cask/cli/reinstall_spec.rb

@@ -11,7 +11,7 @@
     output = Regexp.new <<~EOS
       ==> Downloading file:.*caffeine.zip
       Already downloaded: .*local-caffeine--1.2.3.zip
-      ==> Verifying checksum for Cask local-caffeine
+      ==> Verifying SHA-256 checksum for Cask 'local-caffeine'.
       ==> Uninstalling Cask local-caffeine
       ==> Backing App 'Caffeine.app' up to '.*Caffeine.app'.
       ==> Removing App '.*Caffeine.app'.

Library/Homebrew/test/support/fixtures/cask/Casks/invalid/invalid-gpg-signature-url.rb

@@ -4,8 +4,7 @@
 
   url "file://#{TEST_FIXTURE_DIR}/cask/caffeine.zip"
   homepage 'http://example.com/invalid-gpg-signature-url'
-  gpg 1,
-      key_id: '01234567'
+  gpg 1, key_id: '01234567'
 
   app 'Caffeine.app'
 end